What do you know of any specific programming languages, assembly? Do you have reasonable understanding of buffers and sockets, as they relate to programming and networking? How well do you understand networking, in general and the OSI model?

Need to understand where your strengths are, and what you feel you're capable of and WANT to learn / know.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I attended SANS 560 recently (May 2010). Before enrolling I noticed the NOTE below about the course, saying that it is a pretty technical one. I have never had a chance to go to any SANS course before, so I really can't tell how it compares to others.

I have to say that I had problems keeping up with the course, not because I’m not technical enough, but because of the speed of it - lots of material, the instructor didn't stop talking one second, and my brain works in a particular way that goes against that, when I find something that interest me, I want to fully understand it before I move on.

Just to give you an example, when the instructor talked about Pen Testing methodologies, I was familiar with one he mentioned, but not with the others, so I wanted to read the descriptions in the text book, by the time I finished, the instructor was well into the next section of the course. Basically I was playing catch up sometimes. But that is just me.

If you are asking which course to go to, I say 560, because I understand that it covers most of the material in 504 (overlap). These courses are very expensive, so there is no point attending 504 now, and later on 560, which will be mostly a repetition. Of course, if your employer is paying for the training, I guess it is a different scenario.

Just to give you some info about me, I work in Network Security and use some of these tools on a daily basis, but some were new to me. I’m very strong in Windows, weaker in Unix. I have a few certifications as well. The most technical course I have taken was "Oracle University" PL/SQL for Oracle 8, back in 1999, and I really got some grey hairs because of it, it was very difficult for me at the time. In comparison, SANS 560 was a very satisfying course.

As you can see, “technical course” or a “challenging course” depends on your own technical skills and where you are in your career.

Marcos in Toronto

IMPORTANT NOTE: SANS Security 560 is one of the most technically rigorous courses offered by the SANS Institute. Attendees are expected to have a working knowledge of TCP/IP, cryptographic routines such as DES, AES, and MD5, and the Windows and Linux command lines before they step into class. Although SANS Security 401 (Security Essentials) and then next SANS Security 504 (Hacker Techniques, Exploits, and Incident Handling) are not pre-requisites for 560, these courses cover the groundwork that all 560 attendees are expected to know. While 560 is technically in-depth, it is important to note that programming knowledge is NOT required for the course.

marcos_s wrote:Attendees are expected to have a working knowledge of TCP/IP, cryptographic routines such as DES, AES, and MD5, and the Windows and Linux command lines before they step into class.

Very key words here: expected to have versus should have. I can't comment on the 560, I've never taken it but have heard this same thing before about the SANS course (fast paced) and what I can suggest in situations like this is: "Jot it down in a notebook and revise it on your own time!"

Think about the following situation. You pay out of pocket to attend a course. Time is money and you have N amount of days to learn/grasp/understand it. During the course, someone stops the instructor to go over every nook and cranny. Is it fair to you, you paid your money, you have your allocated time.

On the flip side, AFTER the session (as most of these types of classes have a timeframe/schedule), you could try to ask the proctor or other class members, or revisit it on your own accord on your own time since you have it jotted down. Another thing to do for ANY course is to look for key indicators on the content type. If it were me coming into the class, I would have taken some time to look up anything related to penetration testing. E.g. "penetration testing concepts", "penetration testing guidelines", "penetration testing frameworks" to give yourself a running headstart.

Just my two cents. ... Hope Lenny doesn't proctor the GREM class like that. I might have to send him ICMP source quenches to slow his role

I jot notes, as sil noted, but I also tend to throw my ipod recorder next to me, or record with my laptop webcam, to review and re-jot notes at the hotel at night, etc, when I take these courses. Sometimes, it helps to be able to review again, when I can pause it, etc.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'